an optimal statistical test for robust detection against interest...
TRANSCRIPT
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
An Optimal Statistical Test for Robust Detectionagainst Interest Flooding Attacks in CCN
Tan NGUYEN Remi COGRANNE Guillaume DOYEN
ANR DOCTOR project, number <ANR-14-CE28-000>Troyes University of Technology, France
{ngoc_tan.nguyen, remi.cogranne, guillaume.doyen}@utt.fr
14th IFIP/IEEE Symposium on Integrated Networkand Service Management 2015
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Outline
1 Content Centric Network
2 Interest flooding detection
3 Proposed Uniformly Most Powerful detector
4 Evaluation results
5 Conclusion & future work
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Outline
1 Content Centric Network
2 Interest flooding detection
3 Proposed Uniformly Most Powerful detector
4 Evaluation results
5 Conclusion & future work
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Information Centric Network (ICN)
Internet usage keeps growing tremendouslyRecent efforts aiming to a clean-slate network for the future
ICN key concepts
Naming content object instead of using IP address
In-network caches
Ensure content integrity, authenticity
Natively solve part of problems: multicast, mobility support,IP address shortage ...
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Content Centric Network (CCN)
Promising future network architectureCommunications by Interest and Data packets
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Outline
1 Content Centric Network
2 Interest flooding detection
3 Proposed Uniformly Most Powerful detector
4 Evaluation results
5 Conclusion & future work
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Interest flooding
A Denial-of-Service variation in CCN environment
Attack principleOverload PIT with a large amount of Interests for non-existentcontent names, prevent router from processing Interests fromlegitimate user
Highly riskNon-existent name can be easily createdCan effect on large scale
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Previous work
Proposed solutions against Interest flooding exist [1] [2] [3]A combination of both reliable detector and effectivecountermeasure still missing
Previous detection method’s drawbacks
Unclear threshold selection, usually based on experiences
⇒ Rigid performance, only valid in evaluated cases⇒ Costly to address different conditions
No expected theoretical performance
⇒ Achieved results under-optimal
Evaluate with easily detected cases
⇒ Unreliable and weak performance against challenge cases
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Outline
1 Content Centric Network
2 Interest flooding detection
3 Proposed Uniformly Most Powerful detector
4 Evaluation results
5 Conclusion & future work
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Methodology
Statistical Hypotheses Testing with Neyman-Pearson approach
Assumptions
In ∼ Π(λ); Dn ∼ B(In; p0)
Parameters p0, λ constant, already known
Values of Dn statistically independent
Additional malicious Interests issued by attacker in ∼ Π(a)
Links’ and content providers’ capacity is sufficient
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Method’s key concepts
False-alarm rate α: false positivesDetection power β: true positivesMiss-detection rate 1− β: false negativesUniformly Most Powerful (UMP) test is a test achievethe best β for a given αDetection threshold τ
Problems of previous workτ, α and β come after empirical data of particular cases andthe detector is not the uniformly most powerful
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Proposed detection method
Proposed UMP detector
X =N∑
i=1
Xn =N∑
i=1
Dn − In.p0√In p0(1− p0)
Interface is{
normal if X ≥ τunder attack if X < τ
Threshold & expected detection power
τ = Φ−1(α)√
N
β = Φ
(Φ−1(α)
√N − Nµ1
σ1√
N
)T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Outline
1 Content Centric Network
2 Interest flooding detection
3 Proposed Uniformly Most Powerful detector
4 Evaluation results
5 Conclusion & future work
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Evaluation setupReuse ndnSIM source code of competitor and modify it tointegrate all the configuration
Our competitorAfanasyev, Alexander, et al. "Interest flooding attack andcountermeasures in Named Data Networking." IFIP NetworkingConference, 2013. IEEE, 2013.
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Approach relevance
-4 -3 -2 -1 0 1 2 3 τ10−3
10−2
10−1
100
Theoritical value of αTheoritical value of βEmpirical value of αEmpirical value of β
Figure: Theoretical and empirical α and β as a function of threshold τ .
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Performance comparison
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 α0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9β(α)
Empirical of UMP test
Empirical of previous detector
Theoritical of UMP test
Figure: Overall performance of UMP test and the satisfaction ratioDn/In test.
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Identifying challenge cases
0.7 0.72 0.74 0.76 0.78 0.8 0.82 0.84 0.86 0.88 p10-4
10-3
10-2
10-1
1−β(p)
Empirical result
Theoretical result
Figure: Empirical and theoretical 1− β of the UMP test, for a singlehost, as a function of p. Here α = 0.05, N = 1 and p0 = 0.85.
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Potential improvement for challenge cases
0 2 4 6 8 10 12 14 16 18 N0.3
0.4
0.5
0.6
0.7
0.8
0.9
β(N)
Empirical result
Theoretical result
Figure: Empirical and theoretical β of the UMP test as a function ofsample size N. Here α = 0.05, p0 = 0.85 and p = 0.825.
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Outline
1 Content Centric Network
2 Interest flooding detection
3 Proposed Uniformly Most Powerful detector
4 Evaluation results
5 Conclusion & future work
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Conclusion & future work
The proposed detectorHas a clearly-defined, scalable thresholdThreshold independent of users’ behavior, adaptable to αHas better performance, even in some challenge casesProvide a reliable theoretical performanceMaster the trade-off between accuracy and detection delay
Future workAddress important-but-less-noticeable attack strategiesDevelop a mitigation strategy
T. Nguyen, R. Cogranne, G. Doyen
Content Centric NetworkInterest flooding detection
Proposed Uniformly Most Powerful detectorEvaluation results
Conclusion & future work
Afanasyev, Alexander, Priya Mahadevan, Ilya Moiseenko, ErsinUzun, and Lixia ZhangInterest flooding attack and countermeasures in Named DataNetworkingIFIP Networking Conference pp. 1-9. IEEE, 2013.
Compagno, Alberto, Mauro Conti, Paolo Gasti, and Gene TsudikPoseidon: Mitigating Interest flooding DDoS attacks in NamedData NetworkingIEEE Conference on Local Computer Networks (LCN) pp.630-638. IEEE, 2013.
Dai, Huichen, Yi Wang, Jindou Fan, and Bin LiuMitigate ddos attacks in ndn by interest tracebackComputer Communications Workshops (INFOCOM WKSHPS)pp. 381-386. IEEE, 2013.
T. Nguyen, R. Cogranne, G. Doyen